The notorious Coreflood botnet has been defeated by FBI investigators using an unprecedented tactic. The Justice Department announced Thursday that it has disabled a zombie network of millions of Windows machines infected by Coreflood, malware that steals personal financial information from unsuspecting users. To disable Coreflood, the FBI seized the botnet’s servers and replaced them with servers that command the zombie machines to shut down the malware.
Disabling the Coreflood botnet
The Coreflood botnet, which has mutated to stay ahead of the law for years, infected about 2.3 million computers with a malware designed by cybercriminals to record keystrokes for stealing passwords, banking information and credit card numbers.
The FBI achieved a breakthrough in the Coreflood investigation when it seized five command and control servers remotely controlling hundreds of thousands of infected computers, as well as 29 Internet domain names used by the Coreflood botnet. After getting approval from a judge, the FBI, working with the non-profit Internet Systems Consortium, replaced the Coreflood servers with its own. The FBI’s servers issued their own command through the Coreflood botnet to kill the malware on Tuesday night.
By seizing control of the Coreflood botnet, authorities are now able to let ISPs know which machines have been turned into Coreflood zombies and the ISPs can inform victims of the botnet that they have been compromised.
How to kill a zombie
In the past, law enforcement officials have been able to disable botnets by taking out their servers, but the malware remains in the infected machines. Authorities have been unable to remotely terminate the malware because of the same policies that make it illegal for botnets to run unauthorized programs. This left open the risk that cybercriminals could re-access the domain names and IP addresses of infected machines. If they should do so, a new stack of command and control servers could reconnect with the zombie computers and bring the botnet back to life.
The servers installed by the FBI still can’t actually remove the malware to disable Coreflood. But each time one of the botnet’s zombies reboots and attempts to restart the malware, the servers issue a command for the malware to shut down. Essentially the Coreflood botnet will be rendered inert as long as the FBI servers are in place.
Will the zombies rise again?
The Coreflood botnet was especially malicious. Coreflood emerged in 2003 and has been regularly updated to elude anti-malware software. Coreflood enabled cybercriminals to steal millions from victims but the full extent of financial losses is unknown, according to the Justice Department. Prosecutors filed civil wire fraud and bank fraud charges against 13 unknown defendants listed in the legal complaint as John Does who are suspected to be foreign nationals in eastern Europe. The Coreflood botnet has been disabled for the time being, but it hasn’t been ruled out that it could re-emerge in another form. The restraining order that allows the FBI servers to keep the malware dormant in the infected machines is temporary.
Ars Technica: http://bit.ly/gUSc27
BBC News: http://bbc.in/hCgeL9
Wall Street Journal: http://on.wsj.com/ha8Qng
Do you have a fantastic idea related to this article, but just don't have the money you need to start your own company or side-business? Get the loans you need from https://personalmoneynetwork.com to help get your new company underway, from the small loan professionals at PersonalMoneyNetwork.